malware enbeded in .jpg, .doc

Discussion in 'other anti-malware software' started by Rabiddog, Aug 25, 2009.

Thread Status:
Not open for further replies.
  1. Rabiddog

    Rabiddog Guest

    Do most AV's detect this? How about Prevx or Mamutu ? What solution do you have for this, besides not downloading .jpg's or .doc's?
     
  2. Rabiddog

    Rabiddog Guest

    I see my question switched to another subject (.jpg's etc...)in my last post: "Defensewall and Sanboxie"

    Wanted to start this anew, about malware protection in .jpg's or .doc's.
    I asked Prevx, haven't had a response.
     
  3. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    As far as i'm aware all good Anti's should detect things like you suggest.
     
  4. Rabiddog

    Rabiddog Guest

    Do you know if they detect as you download and save them, or when you open them? Or does it matter?
     
  5. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    Rabiddog

    A good Anti should detect as your downloading, and often before, especially if it reads dodgy code in the webpage that's waiting to pounce on people.

    If the Malware is what's called Packed/Compressed with something like UPX for eg, then you might download without an Anti detect, sometimes it/they will though, but as soon as you try to run it then it/they should jump in and prevent/delete it.

    ssj100 is right to quote what Rmus says. But i didn't get blasted with ANY .wmf exploits when they were out a few years back, no matter how many i tried. As well as a good AV/AT/AE i also had my 98SE + IE6 locked down securely, and as it turned out 98SE wasn't vulnerable lol. I'm now on XP + IE6 + FF also locked down in a similar fashion.
     
  6. ssj100

    ssj100 Guest

    So you're saying that your AV blocked it all mate? I'm not sure what you mean by AT, and I'm guessing AE is anti-executable? Also, since 98SE wasn't vulnerable, how could it be a real test of the malware? And what do you mean exactly by the terms "locked down"? Thanks for your help.
     
  7. wat0114

    wat0114 Guest

    Doesn't a long ago released MS patch as discussed here address this exploit?
     
  8. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    ssj100

    No mate, i'm not saying my " AV blocked it all " or would have, not until it got the updated DEF's anyway. But if i remember correctly, some of the later WMF's were then blocked heuristically.

    AT = AntiTrojan which at the time was BoClean

    AE = anti-executable correct, which at the time was WinSonar

    We only discovered that 98SE probably wasn't vulnerable a week or two into the testing. Myself Rmus + others conducted tests on a daily basis as soon as new .WMF's were discovered. Still as nothings 100% 98SE still could have been vulnerable in some way/s, and the only to find out was to test. This was with + without Anti's, but not one worked.

    I even tried running them with XnView, as just mentioned by wat0114, still nothing !

    Locked down =

    OS -

    Disabling all unnesessary startups and services etc and things like Telnet, wscript etc etc that i didn't need that could be used by Malware. Installing Script Defender which not only blocks Scripts, but ANY other.Extension you care to add in too.

    Browsers -

    Disabling ActiveX/Scripting/Java/iframes etc etc. Enabling the My Computer Zone in IE Options via the Reg and disabling/prompt the aforementiond items. This particular Zone has nothing to do with Internet duties, but helps to protect the OS.
     
  9. ssj100

    ssj100 Guest

    Thanks for your reply. Unfortunately, "locking down" would sacrifice a lot of usability/convenience for 99.9% of people. Right?
     
  10. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    ssj100

    Re " locking down" would sacrifice "

    I can't speak for everyone else out there in www land. But i do know from practical experience in trying to help others over the years, in the real world, lots of people just can't be bothered with security. That's either to learn how to better secure, or how to properly clean up after the inevitable multiple infections they get, and keep getting !

    They see it as either too much trouble, or as is more often the case, they just can't absorb even small amounts of info, and/or forget. And these arn't all dumbo people, or kids.

    So running as you do in a Sandbox is a good idea for people like that, but as i've found, they find things like that just too complicated. Something like Returnil or Deep Freeze would be easier, but they would still have to know how to set it up and then daily etc save stuff to a seperate place so it wouldn't get wiped. And even doing these things is too much for many !

    If Returnil solved the System Restore problem i'd start using it again tomorrow, so i how they get it sorted ASAP.
     
  11. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Wouldnt an anti-executable stop GDI32.DLL from loading? Or is it a trusted executable?
     
  12. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    We have seen a number of executables embedded inside JPGs/DOCs/any other file format. Be careful: when you double click on a JPG or any other non-executable file which has an executable file embedded in it, the one which will be opened is the non-executable file.

    An example: if you open a JPEG file which has an embedded executable file it it, the JPEG image will be shown. The executable will not be executed at all.

    To be executed, the executable needs a loader - a part of the malware which is already on the infected pc -which extracts the embedded executable from the JPEG image and run it.

    This is the important step, and this is where Prevx detects the embedded executable.
     
  13. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Detections when I first came across brkmail.jpg:
    Detections now:
     
  14. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Well, that's because most likely this is not a jpeg, but an executable with wrong extension (jpg instead of exe) :)
     
  15. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Well, usually an executable is embedded inside a jpg file to evade some basic security filters. It's a common way used by malwares to download malicious components from the web. So, often if you catch on a PC a jpg with an executable file inside it, there should be another running infection which downloaded it.

    This doesn't mean that it is the only way for an embedded executable file to get executed. Technically the JPG could exploit some flaw and run the executable. But usually exploit files don't contain embedded files.

    If you see a jpg with embedded executable, it's unlikely to be an exploit attack but instead there is most likely another infection running on the system.
     
  16. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    And rescanned just now with good results:
     
  17. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    as said before, or it's an executable file with wrong extension or it is a real gif image with embedded executable inside it. If it's just a gif with embedded executable, it's not all that important to detect the whole image as malware, because if you run it the only thing that will happen is displaying the imagae itself (unless it's an exploit, but it that case it should be detected as exploit)
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    ANY file can have malware included.

    Merging the files together is known as steganography.
     
  19. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Ah I see. In that case wouldnt a HIPS help against this?
     
  20. ssj100

    ssj100 Guest

    Yes, that's what I was thinking. But here you are also suggesting that running a .txt file could get you infected spontaneously? So Ilya was wrong haha. He always said that DefenseWall doesn't cover .txt files because you can't get infected by them directly.

    I think now you are saying that a .txt file could infect you spontaneously if it's an exploit. That's incredible. I am sure everything is exploitable if you work hard enough right? I think I'm never going to introduce any more new files on my real system haha. I'll just use a sandboxed VM instead if I wanted to recover any new files on my real system. Sound good? Haha.
     
  21. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Ok, well, steganography is a bit more complex concept than simply "merging files together", but yes, in this case it gives the right idea :)

    http://en.wikipedia.org/wiki/Steganography
     
  22. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Indeed it's quite difficult to write an exploit that hit txt files. Parsing a txt file is more than trivial :D
     
  23. ssj100

    ssj100 Guest

    Cool mate, thanks to your insight, I've added another sandbox for bullet-proof protection. I've forced sandboxed my downloads folder (I'm sure many people do this actually). This way, even a .txt file will run sandboxed when I open it to see what's going on.

    I guess I'd never recover anything on to the real system unless I was 100% certain that it was a trusted file haha.
     
  24. EraserHW

    EraserHW Malware Expert

    Joined:
    Oct 19, 2005
    Posts:
    588
    Location:
    Italy
    Well, the problem wouldn't reside on the txt file itself (or jpg, or every other file format). The problem would reside on the application which open and parse the specified file.

    If, for any reason, file parsing is not done correctly by the application and there could be any kind of memory corruption (caused for example by a buffer overfow) then, this could allow an attacker to exploit this flaw and instructs the application to execute arbitrary commands (like executing malware components)
     
  25. Rabiddog

    Rabiddog Guest


    So, I guess I would have to have malware already on my machine for a bad .jpg to do any harm?
     
Loading...
Thread Status:
Not open for further replies.